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Abstract 

Secret sharing is an important component of several cryptographic protocols. These include protocols for secure 
multiparty function computation, key management, and secure archival storage. Most protocols assume that the 
dealer has direct communication links with every participant, in which case, the dealer can directly communicate 
the respective shares to all participants. 

In this paper, we consider the problem of disseminating shares of a secret when the dealer and the participants 
form a general network. We provide an algorithm for secret share dissemination that is communication-efficient, 
distributed and deterministic. Interestingly, the solution constitutes an instance of a network coding problem admitting 
a distributed and deterministic solution, and furthermore, handles the case of nodal-eavesdropping, about which very 
little appears to be known in the hterature. 



I. Introduction 

Shamir's classical {k, n) secret sharing scheme [1| is an essential ingredient of several cryptographic protocols. 
The scheme considers a set of (n + 1) entities: a dealer and n participants. The dealer possesses a secret s and 
wishes to pass functions (called shares) of this secret to the n participants, such that the following properties are 
satisfied: 

• k-secret-recovery: the shares of any k participants suffice to recover the secret 

• {k — 1) -collusion-resistance: the aggregate data gathered by any {k — 1) nodes reveals no knowledge (in the 
information-theoretic sense) about the secret. 

Several cryptographic protocols in the literature require execution of one or more instances of secret share 
dissemination. These include protocols for secure multiparty computation |[2[-|[7[, secure key management |[8|, |[9|, 
general Byzantine agreement between all participants Q, 1 10|-p2}, proactive secret sharing |13|, |14|, and secure 
archival storage [15J . 

Most protocols including those listed above assume that the dealer has direct communication links to every 
participant. In this case, the dealer can compute the shares as per Shamir's scheme [JJ and directly pass the shares 



to the respective participants. This setting is depicted in Fig. la for the parameters k = 2 and n = 6 



In several situations, the dealer may not have direct communication links with every participant; instead, the 



dealer and the participants may form a more general network. Fig. lb depicts such a scenario. More formally, 
consider a graph G with (n + 1) vertices. These [n + 1) vertices comprise the dealer and the n participants. An 
edge in this graph implies a secure communication channel between its two end-points, while the absence of an 
edge denotes the non-existence of any direct communication channel. 

Under a general network G, all communication between the dealer and a participant who is not directly connected 
to it, must pass through other participants in the network. This poses the challenge of designing protocols where 
the dealer can disseminate shares to all participants without leaking any additional information to any participant. 

A solution that is typically employed in the literature is to execute a pairwise agreement protocol, once separately 
for each participant. Under such a solution, in order to communicate the designated share to any participant, 
the dealer treats this share as a secret, and employs Shamir's scheme to compute k shares of this secret. The 
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(a) Dealer connected to all participants (b) Dealer and participants forming a general network 



Fig. 1: Shamir's secret sharing scheme for A; = 2 and n = 6 participants. The share of participant i (1 < i < 6) is 
s + ir, where s is the secret and r is a value chosen uniformly at random from the finite field of operation, (a) All 
participants are connected directly to the dealer, allowing the dealer to directly pass the shares, (b) The dealer and 
the participants form a general network, where the dealer cannot pass shares directly to participants 3, 4, 5 and 6. 



dealer then communicates these k shares to the participant through k vertex disjoint paths (alternatively, the dealer 
may employ a more general protocol for Byzantine agreement ||2|, |16|, |17| for the communication with each 



participant). However, such a solution incurs a high communication cost, since the dealer needs to execute the 
pairwise agreement protocol separately for every participant. Moreover, the requirement of setting up k disjoint 
paths to every participant requires significant coordination in the network. 

We now provide an illustration of a scheme employing pairwise agreement protocols, accompanied by an 
illustration of our algorithm, on the network of Fig. [Tb] 



Example 1: Consider the network in Fig. lb Let n = 6 and k = 2, with the alphabet of operation as a finite 
field ¥q of size q > 6. Under Shamir's scheme of encoding the secret s, the share ti {1 < i < 6) for participant i is 

= s + ir, where r is a value chosen by the dealer uniformly at random from the alphabet. While the dealer can 
directly pass the shares ti and t2 to participants 1 and 2 respectively, the difficulty arises in communicating shares 
to the remaining participants with whom the dealer does not have direct communication links. For instance, if the 
dealer tries to pass share ^3 to participant 3 by simply communicating along the path 'dealer — )• 1 — )• 3', then 
participant 1 gains access to two shares, ti and ts. Using these two shares, participant 1 can unilaterally recover 
the secret s, thus violating the {k — l)-collusion resistance requirement. 

A typical method employed in the literature, to overcome this issue, is to use pairwise agreement protocols, 
as depicted in Fig. [2a| To pass share to participant 3, the dealer chooses another random value r^, and passes 
(^3 + ^^3) along the path 'dealer — )• 1 — )• 3' and along the path 'dealer — )• 2 — )• 3'. Now, participant 3 can recover 
its share t^, and no participant gains any additional information about the secret s in this process. In a similar 
manner, the dealer can communicate U {4 < i < 6) to participant i by passing (tj + rj) and through k = 2 vertex 
disjoint paths. Although this solution guarantees successful share dissemination, it is communication inefficient, 
and requires considerable coordination in the network to set up the disjoint paths. 

Observe that the protocol described above has several random values {rjj^^g that are transmitted across several 
hops in the network in a particular step, but which are never used subsequently in the protocol. Thus, in order to 
design efficient algorithms, one may wish to propagate random values in a manner that allows their subsequent 



reuse. Fig. 2b depicts our algorithm for secret share dissemination, which requires a communication of only 12 
values over the links, as opposed to 24 in the previous algorithm. Furthermore, this algorithm requires the generation 
of only 2 random values, as compared to 5 previously. 



(a) Using a pairwise agreement protocol 




(■s+r)+3(r+r„) 
(=(,,+3r) + (r+3r„)) 



dealer 




(b) Algorithm of this paper 



lb 



for n = 6 and k = 2: (a) 



Fig. 2: Two algorithms for secret share dissemination across the network of Fig. 
existing algorithm using a pairwise agreement protocol, and (b) new algorithm proposed in this paper. The text on 
an edge is the data passed by the node on the left end-point of the edge to the node at the right end-point. The 
values of {r, rs, r4, rs, rg, ra} are chosen uniformly and independently at random from F^. Under both algorithms, 
each participant « (1 < i < 6) successfully receives the share [s + ir). The algorithm in (a) requires 24 units of 
communication, as compared to only 12 under the algorithm in (b). 



In this paper, we consider the problem of efficient dissemination of the shares of a secret to participants 
forming a general communication network. We provide an algorithm that concurrently disseminates the shares 
to all participants, for a wide class of networks. This entails a much lower communication cost. Moreover, the 
algorithm is completely distributed: the actions of each node are independent of the network topology, and every 
node needs to know only the identities of its one-hop neighbours. As a result, this algorithm is also robust to any 
run-time changes in the network topology (e.g., removal or addition of new links). Furthermore, the algorithm has 
a polynomial time computation complexity. The algorithm can also be extended to perform verification of shares 
to combat a cheating dealer or actively adversarial participants, two-threshold secret sharing, and addition of new 
participants in the absence of the dealer. 
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The problem of secret share dissemination can also be cast as a specific instance of a network coding problem 1 18 1, 
p9} , as described later in the paper. The literature on secure network coding largely considers models where a 
bounded number of links in the network may be compromised to an eavesdropper. However, the problem at hand 
transforms into a problem where a bounded number of nodes in the network are compromised, about which very 
little appears to be known in the literature. Thus, the solution presented in this paper turns out to be an instance 
of a network coding problem that admits a distributed, deterministic and communication-efficient solution. 

As an interesting intellectual connection, the algorithm presented in this paper is based on a variant of the Product- 
Matrix codes, which were originally constructed in |20|, | |2T| for distributed storage networks. These codes possess 



interesting properties, which the algorithm exploits. 

The remainder of the paper is organized as follows. Section |ll] provides a formal description of the system model 



and states the results of this paper. Section III reviews Shamir's secret sharing scheme and the related literature. 



Section IV describes the algorithm in full generality. Section |V] presents conclusions. Several properties, extensions 



and additional applications of the algorithm are discussed in Appendix |A] 



II. System Model 

A. The Secret-share Dissemination Problem 

The dealer possesses a secret s that is drawn from some alphabet A, and wishes to pass shares of this secret 
to n partiipants. The dealer and the participants form a communication network, denoted by graph G. The graph 
G has (n + 1) vertices comprising the dealer and the n participant^ and an edge in the graph denotes a private 
communication link between the two end-points. The problem is to design a protocol which will allow the dealer 
to pass shares (of the secret) to the n participants, meeting the requirements of {k — l)-collusion-resistance and 
k-secret-recovery (described in Section|l]). All the participants are assumed to be honest-but-curious, i.e., they follow 
the protocol correctly, but may store any accessible data to gain information about the secret (the case of active 
adversaries is considered in Appendix [A]). The edges in the graph G may be directed or undirected: a directed edge 
implies existence of only a one way communication link, while an undirected edge implies direct communication 
links both ways. 

The following is a condition on graph G for any secret share dissemination algorithm to successfully perform 
secret share dissemination. 

Condition 1 (k-connected-dealer): Each of the n participants in the graph is either directly connected to the 
dealer or has at-least k vertex-disjoint paths between the dealer and itself. 

Proof: The proof of the necessity of this condition is straightforward. If there is a vertex (say, vertex i) that 
violates the A;-connected dealer condition, then there exists a set Vk-i of other [k — 1) vertices such that all paths 
from the dealer to vertex i necessarily pass through at least one of the vertices in Vk-i- Thus the entire share of 
participant i can be reconstructed by the participants in Vfe-i. It follows that a collusion of the {k — 1) nodes Vfe-i 
can put together their own {k — 1) shares along with the share of node i and recover s, thus violating the {k — 1) 
coUusion resistance property. ■ 

Thus no algorithm can operate successfully on all network topologies, and must at least require the graph G to 
obey the A;-connected-dealer condition. Moreover, as typical of many such problems, an algorithm constructed for 
this problem may require the network topology to satisfy certain additional structural assumptions. However, in 
practice, the structure of the network graph may not be known beforehand. Moreover, under a dynamic network, the 
graph structure may also vary with time. This leads to a natural question about the outcome of an algorithm over 
a network that does not meet the conditions required by the algorithm. Since the security of the data is paramount, 
it is desirable that the algorithm continues to satisfy the {k — 1) -collusion-resistance property irrespective of the 
network topology. We formalize this notion in terms of the following additional requirement. 

'Thus, at times, we will also refer to a participant as a vertex or a node of the graph. 



(a) Layered network 



(b) Backbone network 




(c) One-dimensional geometric network (say, deployment of sensors on the border) 



Fig. 3: Examples of networks satisfying the 3-propagating-dealer condition (any node in the network may be the 
dealer). 

Robustness to network topology: Consider any algorithm designed to work on a class of graphs Q, and let G 
be the actual realization of the communication graph. If G G ^ then the algorithm must accomplish secret 
share dissemination, and if G ^ ^ then running the algorithm on the network G should leak no information 
about the secret. 

The problem considered here is to construct efficient algorithms for secret share dissemination that satisfy the three 
conditions of (i) A;- secret-recovery, (ii) {k — l)-collusion-resistance, and (iii) robustness to the network topology. 
The algorithm presented in this paper meets these conditions for a wide class of networks. The class of networks 
on which our algorithms can operate successfully are described below. 



B. Class of Networks Considered 

The algorithm presented in this paper requires the communication network G to satisfy the following condition. 

Condition 2 (k-propagating-dealer): There exists an ordering of the n participants in the graph such that every 
vertex is either directly connected to the dealer, or to some k nodes preceding it in the ordering. 

We note that while the algorithm constructed in this paper requires the existence of some such ordering, the 
execution of the algorithm is completely distributed and oblivious to the actual ordering. 



As an illustration of this condition, consider the network of Example [T] (Fig. Ibi. This network satisfies the 



2-propagating-dealer condition, with the ordering 1, 2, 3, 4, 5, 6; observe that this is also the order in which the 
participants receive their shares under our algorithm (Fig. 2b i. Fig. |3] depicts three examples of graphs that satisfy 



the 3-propagating dealer condition. These examples can be generalized to the following classes of graphs: 

(a) Layered networks, with each layer containing at-least k nodes, and each node connected to all nodes in the 
neighbouring layers. An ordering that satisfies the A;-propagating-dealer condition is the ordering of the nodes 
with respect to the distance (in terms of number of hops) from the dealer. 

(b) Networks with a fully-connected 'backbone' component, where a node outside the backbone is connected 
directly to at-least k nodes in the backbone. An ordering that satisfies the /c-propagating-dealer condition is: 
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neighbours of the dealer, followed by all remaining nodes in the backbone, followed by all remaining nodes 
not in the backbone. 

(c) A:-connected one-dimensional geometric networks. A one-dimensional geometric network is formed by arranging 
the nodes (in an arbitrary fashion) along a line, and connecting a pair of nodes by an edge if the distance between 
is smaller than a fixed threshold. A one-dimensional geometric network that satisfies the A;-connected-dealer 
condition also satisfies the A;-propagating dealer condition. An ordering that satisfies the fc-propagating-dealer 
condition is the arrangement of the nodes in an ascending order of their euclidean distance from the dealer. 

In addition, any directed acyclic graph (DAG) that satisfies the A;-connected-dealer condition automatically satisfies 
the /c-propagating-dealer condition. Any topological ordering of the DAG will satisfy the fc-propagating-dealer 
condition. Moreover, given any graph G, the condition of fc-propagating-dealer can be verified in a computationally 



efficient manner; this is described later in Section IV-C 



Apart from the parameters n and k, an additional parameter d is associated to our algorithm. We saw earlier that 
the /c-connected-dealer condition is necessary for any secret share dissemination algorithm, and the algorithm 
presented in this paper requires the A;-propagating-dealer condition to be satisfied. Now, assuming that these 
necessary conditions have been met, one would intuitively expect the efficiency of the algorithm to increase with 
the connectivity of the graph. The parameter d is used to capture this intuition: our algorithm takes the parameter 
d (> /c) as input, and under the assumption that the graph satisfies the d-propagating-dealer condition, achieves a 
greater communication efficiency. 

Note that the algorithm is robust to the network topology, and hence will not leak any information in the event 
of the network not satisfying the specified condition. 

C. Precise Statement of the Result 

This paper presents a communication-efficient, distributed and deterministic algorithm that takes parameters n, k 
and d {> k) as input, and enables a dealer to pass shares of a secret to the n participants, such that the properties 
of 

• A;- secret-recovery, when the network satisfies ci-propagating-dealer condition 

• {k — 1) -collusion-resistance 

• robustness to network topology (i.e., no information leaked if graph does not satisfy required conditions) 
are satisfied. The communication-efficiency of the algorithm increases with the value of d. 

D. Notational Conventions 

Throughout the paper we follow standard convention of denoting vectors in boldface and matrices by upper-case 
alphabets. A vector will be treated as a column vector by default, and a row vector will be written as the transpose 
of the corresponding column vector. Transpose of a vector or matrix will be denoted by a superscript T. For any 
integer i > I, [i] will represent the set {!,...,£}. 

III. Related Literature 

A. Shamir's Secret Sharing Protocol 



We first give a brief review of Shamir's secret sharing protocol |1|. We assume for now that the dealer has a 
direct (secure) communication Unk with every participant (as in Fig. fTab. 
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Assume that the secret s is drawn from some finite field ¥g of size q (> n). The dealer node {k — 1) values 
{ri}^~l uniformly and independently at random from F^. Define a fc-length vector m a^ 

=[s n r2 ■■■ rk-i] . (1) 

Next, define a set of n vectors each of length k, as 

^I = [1^^' ■■■ i'-']. (2) 

The share ti of participant i is simply the inner product 

ti = tpfm . (3) 

It can be verified that for any set I C [n] of cardinality k, the secret s can be recovered from the set of values 
{tpjm}i^x- Furthermore, it can also be verified that for any set I' C [n] of cardinality smaller than k, the set 
{ijjj m}i^X' provides no knowledge about s. 

Under the assumption that the dealer has direct communication links with each of the n participants, the dealer 
can simply pass ti to participant i. This completes the description of Shamir's secret sharing protocol. 

We now describe some protocols in the literature that address the situation when the dealer may not have 
direct communication links with all participants. Under each of these protocols, we discuss only the conditions of 
{k — 1) -collusion-resistance and fc-secret-recovery (and not the condition of robustness to network structure). 



B. Pairwise Agreement Protocols 



This section describes a protocol for secret share dissemination based on pairwise agreement protocols |[2|, 1 16|, 
|17|. Fig. 2a in Example [T] is an example of such a protocol. Under this protocol, the dealer first encodes the 
secret s into n shares {ti}^^^ using Shamir's secret sharing scheme Q. To every node £ directly connected to the 
dealer, the dealer directly passes its share t£. For each remaining node, the dealer executes the following protocol 
of 'pairwise agreement', once separately for each remaining node. Let i now denote a node that is not connected 
directly to the dealer. The dealer applies Shamir's secret sharing scheme treating t£ as a secret, and computes k 
shares {uij}^ 



as 



[1 j f 



(4) 



where the values {r^ i, . . . ,rj fc_i} ai^e chosen independently and uniformly at random from ¥q. The dealer then 
finds k vertex-disjoint paths (from itself) to node i, and passes uej along the path (1 < j < k). At the end of 
this pairwise agreement protocol, node i receives {uij}^^^ from which it can recover its share t^. Moreover, since 
each of the random values are independent, no participant can obtain any information about any other participant's 
share, or any additional information about the secret s. This process is repeated once for every node that is not 
connected directly to the dealer. 

The protocol described above requires transmission of data across A;-vertex disjoint paths once for every node 
that is not connected directly to the dealer. Thus this protocol is not very efficient in terms of communication 
complexity, and furthermore, is not distributed. 



^To suit the description of tlie algorithim developed subsequently in this paper, we deviate from the customary polynomial based description 
of Shamir's protocol, and employ a matrix-based notation instead. 
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C. Network Coding 

A multicast network coding problem |18j | considers transmission of data across a network which is represented 
by a graph. Each edge in the graph denotes a communication Unk between its two end points. One of the nodes 
in this graph is the 'source', where data to be transmitted (called the'message') is generated. One or more nodes 
in the networks are the 'sinks', and it is required that the entire message be recovered by each of the sinks. The 
remaining nodes in the network only act as intermediate nodes, and aid in the communication. The data transmitted 
by a node along an edge incident on it can be an arbitrary function of the data it previously received. 

The problem considered in this paper can be modelled as a multicast network coding problem in the following 
manner. The dealer is the source node, and the secret s is the message. The network graph in the network coding 
problem is identical to that in the secret sharing problem, but with a set of (^) additional nodes that act as the sinks. 
Each of the (^) sinks is connected to some set of k participants, with one edge to each of these k participants. 
This corresponds to the condition of fc-secret-recovery. To satisfy the {k — 1) -collusion-resistance property, no set 
of (A: — 1) nodes (excluding the source and sinks) should be able to obtain any information about the message. 
This is equivalent to a network coding problem requiring secrecy from an eavesdropper that can gain access to a 
subset of the nodes. However, with respect to this setting, very little appears to be known in the network coding 
literature. 



To the best of our knowledge, the literature on secure network-coding (e.g., |19|, |22|-|24|) considers only 
the setting where the eavesdropper gains access to a subset of the links. The problem of node-compromise is 
treated as a case of link-compromise by allowing the eavesdropper to gain access to all links that are incident 



upon the compromised nodes. In [fOJ, p4| , authors consider the setting wherein a collection of subsets of the 
links is specified, and an eavesdropper may gain access to precisely one of these subsets. However, the scheme 
provided is not explicit, requires the size of the finite field to be exponential in n. The algorithm depends on the 
knowledge of the network topology, and given the network topology, it is computationally difficult to obtain the 
precise actions to be performed at the nodes under this algorithm. Moreover, the scheme requires the graph to satisfy 
a particular condition, which is almost always violated in our problem setting. On the other hand, communication- 
efficient algorithms to secure a network from an eavesdropper having access to a bounded number of links are 
provided in |22| , | [23| . Given the network topology, the actions to be performed at the nodes can be derived in a 
computationally efficient manner. However, these algorithms communicate a message of size equal to the difference 
between the largest message that can be sent in the absence of secrecy requirements, and the bound on number of 
compromised links. Under our problem setting, this difference will generally be zero or smaller (e.g., the difference 
is —2 in the network of Fig. [Tb] ), thus rendering these algorithms inapplicable. 

The algorithms currently found in the network coding literature, even for the setting where there are no secrecy 
requirements, are either random (thus not guaranteed) [25], or deterministic but centralized [26]. Thus, the results 
of this paper present a case where an instance of a network coding problem admits a distributed and deterministic 
solution. 

IV. Algorithm for Secret Share Dissemination 

This section presents the main result of the paper. Consider a network G that obeys the d-propagating-dealer 
condition (Condition [2]) for some parameter d (> k). The secret s belongs to the alphabet A, and we assume that 
A = FJ^~^+^, for some q > n. Thus we can equivalently denote the secret as a vector = [si S2 • • • Sd-fe+i] 
with each element of this vector belonging to the finite field ¥g. 

A. Initial Setting up by the Dealer 

The dealer first constructs an (n x d) Vandermonde matrix with the i*^ (1 < ^ < n) row of ^ being 

V'f = [lii' ••• i"-^] . (5) 
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The vector tpj is termed the encoding vector of node i. 

Next, the dealer constructs a {d x d) symmetric matrix M comprising the secret s and a collection of randomly 
generated values as followsj^ 



(6) 



M = 


SA 
SB 


T 

ra 

Rb 

Rc 


T 

SB 

rI 










^~d^^ 






d 





where the depicted sub-matrices of M are 



• SA = Sd-k+1 is a scalar, 

• SB = [si - ■ ■ Sd-kV is a vector of length (d — k), 

• is a {{k — 1) x 1) is a vector of length {k — 1), 

• iZf, is a {{k — 1) X (fc — 1)) symmetric matrix with its ^^^"'''^ entries populated by random values, 

• i?c is a ((d — k) X {k — 1)) matrix with its {d — k){k — 1) entries populated by random values. 

These random values are all picked independently and uniformly from F^. Note that the total number of random 
values in M is 



R 



{k-l) + 
[k-l)d- 



k{k-l) 
2 

k-l 
2 



+ {k-l){d-k) 



(7) 



The entire secret is contained in the components sa and as s = [si • • • Sd-k+i] = [sb"^ sa\- 



Observe that the structure of M as described in ([6]), along with the symmetry of matrix Rb, makes the matrix 
M symmetric. 



The share tj for participant j (1 < j < n) is a vector of length {d — k + 1): 



R 



T 



(8) 



SA 
ra 

SB 

We shall show subsequently in Theorem |2] that any k of these shares suffice to recover the entire secret. 

Remark 1: To see these shares in the conventional polynomial representation of Shamir's secret sharing scheme, 
recall that the vector ipj is drawn from a Vandermonde matrix. Thus each column of tj in ^ can be seen as the 
evaluation of a polynomial at value j. Thus there is one polynomial for each secret value Si {I < i < d — k + 1), 
having the corresponding secret symbol as its constant term and the remaining coefficients picked randomly. 



B. Communication across the Network 

For any participant j (1 < i < n), denote the set of its neighbours by M{j). Denote the set of neighbours of the 
dealer as A/'(dealer). Algorithm [T] describes the communication protocol to securely transmit the shares {tj}"^^ to 
the n participants. 

'The reader familiar with the literature on regenerating codes for distributed storage may notice that we employ the MBR version (and 
not the MSR version) of the product-matrix codes |20|. We make this choice to guarantee secrecy from honest-but-curious participants, who 
may store all the data that they receive, a characteristic of the MBR point on the storage-bandwidth tradeoff 1271. 
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Algorithm 1 Communication Protocol 

Dealer: For every j G AA(dealer), compute and pass the d-length vector ipjM to participant j. 

Participant i G A/'(dealer): Wait until receipt of data tpjM from the dealer. Upon receipt, perform the 
following actions. For every j G M{1), compute inner product of the data tpjM with the encoding vector -0 
of participant j. Transmit the resultant value ipj Mxjjj to participant j. 

Participant t ^ A/'(dealer): Wait until receipt of one value each from any d neighbours, and then perform 
the following actions (if more than d neighbours pass data, retain data from some arbitrary d of these nodes). 
Denote this set of d neighbours as {ii, . . . , id] C J\f{£), and the values received from them as {o"i, . . . , ad} 
respectively. Compute the vector 



-l -1 






0"! 







For every neighbour i G ^f{i) from whom you did not receive data, compute and pass the inner product t'^V'j 
to participant i. 



Remark 2: Under this algorithm, unnecessary communication may occur when (i) more than d participants 
simultaneously attempt to transmit data to a participant who is not directly connected to the dealer, or when (ii) 
neighbouring participants that are also connected directly to the dealer attempt to transmit data to each other. This 
can be avoided by employing a simple handshaking protocol between neighbours: a participant who is ready to 
transmit data to its neighbour, requests the neighbour for an approval of this transmission, prior to actually sending 
the data. 



C. Correctness of the Protocol 

The following theorems show that each participant indeed receives its intended share ([8]l, and the algorithm 
satisfies the properties of A;- secret-recovery, {k — 1) -collusion-resistance and robustness to network structure. The 
communication and computational efficiency of the algorithm are discussed in Appendix |A] 

Theorem 1 (Successful share dissemination): Under the algorithm presented, every participant I G [n] can re- 
cover ipjM, and hence obtain its intended share 



SA 
SB 



SB 





Proof: Recall that the graph satisfies the d-dealer propagation condition. Let us assume without loss of generality 
that that the ordering of vertices satisfying this condition is 1 , . . . , n. It follows that the first d vertices in this ordering 
must be connected directly to the dealer. 

The proof proceeds via induction. The induction hypothesis is as follows: every participant £ can recover the data 
iI^Jm, and if I passes any data to any other node j G M{tj then this data is precisely the value ij^jMil:^. Consider 
the base case of node 1. Since this node is connected directly to the dealer, it receives the data ipi M from the 
dealer. Moreover, following the communication protocol, it passes ipiMtpj to its neighbours j G A/'(l). Let us 
now assume that the hypothesis holds true for the first (^ — 1) nodes in the ordering. If node i is connected directly 
to the dealer, then the hypothesis is satisfied for this node by an argument identical to the case of node 1. Suppose 
£ is not connected to the dealer. It follows that node £ must be connected to at least d other nodes preceding it in 
the ordering, and furthermore, must receive data from at least d of these nodes (say, nodes {ji, . . . ,jd} [£ — 1])- 
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By our hypothesis, these d nodes pass the d values {tpJ^Mtp^. 
at node £ operates on the input 



-i/j^M'j/'f}. It follows that the algorithm running 



0-1 









(9) 



By construction, the matrix in Q comprising {tpj^, • • • , ''/'j^} as its rows is a (d x d) Vandermonde matrix, and 
hence is invertible. Thus, computing v in the algorithm can be performed efficiently using standard Reed-Solomon 
decoding algorithms |28|, |29|. Thus, we have v = Mip^, and since M is a symmetric matrix, we get v'^ = 
ipijM^ = tpjM. Finally, the data passed by node i to any other node i G M{1), according to the protocol, is 
v^ipi = tpjMip^. This proves the hypothesis for node £. 

Due to the specific structure Q of M, the desired share t£ is a subset of the elements of the vector if^jM. Thus, 
every participant obtains its intended share. ■ 

Theorem 2 (k-secret-recovery): Any k shares suffice to recover the secret. 

Proof: Let I C [n] denote the set of the k participants attempting to recover the secret. Let ^'j be a (A; x d.) 
matrix with its k rows comprising {"j/'Fliex- Further, let denote the {k x k) submatrix of comprising the 
first k columns of ^'j. In terms of this notation, these k participants collectively have access to the data 





SA 


T 

SB 




Ta 


Rc 




SB 






Consider the last k columns of this data, i.e.. 



SB 





SB 



Since "^x is a (A; x d) Vandermonde matrix, is {k x A;) Vandermonde matrix. Thus, "^x is invertible. This allows 



for the decoding of (via an algorithm p8| , p9| identical to decoding under Shamir's classical secret sharing 
scheme). It remains to recover sa and to this end consider the first column of the data, i.e.. 



SA 
SB 



Since the value of sb is now known, its effect can be subtracted from this data to obtain 



SA 




'^x 



SA 
r„ 



Since ^x is invertible, the value of sa can now be decoded from this data. ■ 

Theorem 3 ({k — \)-collusion-resistance): Any set of [k — 1) or fewer colluding participants can gain no infor- 
mation about the secret. 

Proof: The proof of this theorem is provided in Appendix |B] ■ 

Corollary 4 (Robustness to the network topology): It follows from the proof of Theorem [5] that the {k — 1)- 
coUusion-resistance property holds irrespective of the network topology. This, along with the results of Theorem [T] 
and Theorem [2j implies the property of robustness to the network topology. 



This completes the verification of the correctness of our algorithm. 
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Remark 3: In certain scenarios, the communication network may be known beforehand, and it may be desired 
to verify whether it satisfies the d-propagating-dealer condition. This task can be performed efficiently by simply 
simulating communication protocol of Algorithm [T] on this network: the d-propagating dealer condition is satisfied 
if and only if all nodes successfully obtain their shares. 

Remark 4: Suppose the graph satisfies the necessary fc-connected-dealer condition, but not the A;-propagating- 
dealer condition. In this case, the algorithm will successfully disseminate shares to a subset of the nodes (which 
form a subgraph satisfying the /c-propagating-dealer condition). However, if the graph is known beforehand, then 
a hybrid algorithm can be employed: the algorithm of this paper can be employed to efficiently disseminate shares 
to a subset of nodes, while pairwise agreement protocols can be employed to disseminate shares to the remaining 
nodes. 

V. Conclusion 

This paper presents an algorithm to disseminate shares of a secret in a setting where the dealer and the participants 
may form a general network. The algorithm is communication-efficient, distributed, and deterministic (guaranteed). 
The algorithm successfully disseminates the shares if the network satisfies the d-propagating-dealer condition, and 
does not leak any information otherwise. The result of this paper is an instance of a network coding problem 
admitting a deterministic and distributed solution. Moreover, it handles the case of nodal-eavesdropping in network 
coding, about which very little appeals to be known in the literature. 

A distinctive feature of the algorithm is that it is both distributed and deterministic. A future goal is to construct 
distributed and deterministic algorithms for broader classes of networks, for secret share dissemination and other 
communication problems. 
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appendix a 

Properties and Extensions of the Algorithm 
A. Communication and Computational Efficiency 

We measure the communication efficiency of the algorithm in terms of the amount of data downloaded by each 

node (normalized with respect to the size of the secret). Recall that the size of the secret is (d — k + 1) values over 
¥q. First, consider a participant £ {1 < £ < n) that is not directly connected to the dealer. Under the algorithm, 
participant £ downloads one value each from d other participants. To satisfy the properties of fc-secret-recovery 
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and {k — 1) -collusion-resistance, participant i must have {d — k + 1) values in addition to what it obtains from 
any set of {k — 1) other participants. Thus this is the minimum possible download required to recover the share 
by connecting to d other participants. On the other hand, participants connected directly to the dealer download d 
values from it. The minimum download required is {d — k + 1) in this case; the additional downloaded values aid 
in transmitting shares to the participants that are not directly connected to the dealer. 

As compared to using pairwise agreement protocols, the communication complexity is reduced roughly by a 
(multiplicative) factor equal to the average of the lengths of d vertex disjoint paths from the dealer to any node. 
This is because under our algorithm, for a secret comprising of {d — k + 1) symbols, each participant downloads 
one symbol each from d of its neighbours. On the other hand, for a secret of this size, protocols based on pairwise 
agreement require communication of one symbol each across d disjoint paths from the dealer to each participant. 
Of course, an additional advantage of our algorithm is that it is completely distributed, while those using pairwise 
agreement protocols require considerable coordination across the network. 

The algorithm is computationally efficient since every participant is required to perform no more than one 



decoding and one encoding of a Reed-Solomon code, for which several efficient algorithms are known |28|, |29|. 



B. Addition of New Participants in Absence of Trusted Entities 

In several applications of interest, one may be faced with a scenario where the dealer exits the system after 
distributing the shares to the n participants, and a new participant is to be added to the system in the absence of 
the dealer or any other trusted entity. The new share is to be created and passed to the new participant such that 
the properties of {k — 1) -collusion-resistance and /c-secret-recovery continue to hold. Furthermore, the information 
obtained by the new participant must be precisely what it would have obtained if the dealer was present in the 
system. 

We first describe a naive means to accomplish this task. Suppose the system currently has n participants, and it 
is desired to add a new participant (n + 1). Observe that since all the data initially available to the dealer can be 
recovered from any k shares, and the share tn+i of the new participant is a function of this data. Thus, one can 
treat the share tn^i as a function of these k shares, and employ a secure multiparty computation protocol (e.g., the 
BGW protocol of |[2|) to provide t„+i to participant (n + 1). However, this method requires a considerable amount 
of communication and coordination among the existing participants. 

We now present an efficient method to adding new participants, by employing the algorithm presented in 



Section IV Recall that the algorithm is associated to two parameters k and d (> k), and the size of the secret is 
(d — /c + 1) values over Fg. Assume that q > (n + 1). Under our algorithm, the process of adding a new participant 
requires a consensus of d existing participants. The pair of parameters k and d allow for two levels of threshold, 
the former to recover the secret and the latter to add new participants. A higher value of the parameter d may be 
useful in various scenarios. For instance, a higher threshold for adding new participants would help in guarding 
against Sybil attacks | |30[ , where a malicious participant may attempt to obtain additional shares of the secret, by 
presenting itself as multiple new participants. In this situation, the parameter d determines the level of scrutiny 
while adding a new participant. 

To provision for the addition of participants in the absence of the dealer, we perform a small modification in 
the algorithm of Section IV each participant I (1 < £ < n) stores the d values ijjj M instead of storing only tn 
(which is a subset of xji^M). Let "0^+1 = [1 (n + 1) (n + 1)^ • • • (n + 1)"^"^] be the encoding vector of the new 
participant. In the presence of a dealer or a trusted entity, its share in the scheme would have been i/>^^^-)M. Now, 
assume that some d existing participants (say, participants 1, . . . ,d) agree to add the a new participant (n + 1). 
Each of these d participants 1 < j < d passes ipj Mtp^_^_i to participant (n + 1). As shown in Theorem [ij the new 
participant can recover its desired data ip'^_^_iM from {i/'J-^''/'n+i}^=i- Clearly, under this algorithm for addition 
of a new participant, no participant obtains any additional information. 
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C. Active Adversaries and Verification of Shares 

Throughout the paper we assumed a honest-but-curious model, where the participants honestly follow the protocol, 
but may gather any available information. Now, we consider the case when some participants may be active 
adversaries, i.e., may pass corrupt values to its neighbours (in addition to trying to gather information about the 



secret). We show how to modify the communication algorithm of Section IV to handle the case when there are 
upto t active adversaries in the system, for some given parameter t. 

The modified algorithm requires the network to satisfy a ((f+2t)-propagating-dealer condition; let us assume this 



holds. Under the algorithm, the dealer computes the matrix M and the encoding vectors, as described in Section IV 
As before, to each participant i directly connected to the dealer, it passes the data M. The modification is in the 
downloads performed by the remaining participants. Every participant i who is not connected to the dealer waits 
for receiving data from {d + 2t) of its neighbours. Let us assume that participant £ receives data form neighbours 
{ii) • • • ) jd+2t\- According to the protocol, this data is the set of {d + 2t) values {ipJ^Mip^, . . . , il^J^^^^Mil)^}. By 
construction, any d vectors from the set {il^J^, ■ ■ ■ i'4^Ja+2t} linearly independent. Thus, the {d + 2t) values down- 
loaded by node £ form a Maximum-Distance-Separable (MDS) encoding of the d-length vector Mipg. Furthermore, 
since at-most t of the participants may be actively adversarial, no more than t out of the {d + 2t) downloaded 
values can be in error. Thus, participant i can apply standai^d Reed-Solomon code decoding algorithms |28| and 
recover Mtp^^ correctly. Finally, since M is symmetric by construction Q, participant £ equivalently obtains its 
desired data ipjM. 

Let us now consider the case when the dealer may be malicious. A dealer is malicious if the shares it passes 
to the participants are not consistent with each other, i.e., different sets of k shares may decode to different values 
of the secret s. Under the algorithm presented, the participants can detect a malicious dealer without leaking any 
information, by comparing parts of their shares with each other. Observe that under the algorithm, every pair of 
participants, say participants i and j, store one common value tpfMipj = t^jMifj^. Moreover, as discussed above, 
the values a participant (say, participant i) stores in common with all other participants, form an MDS encoding 
{"^I^J Mxjj ji^yn] of iI^Jm. Thus, inconsistencies in the shares due to a malicious dealer can be detected via pairwise 
comparisons of the common symbols among the participants. 



D. Two-threshold Secret Sharing 

In II3TII, authors introduced a modification of Shamir's secret sharing scheme to include two thresholds k and 
k' (< k). The modified scheme satisfies the properties of fc-secret-recovery and /c'-coUusion-resistance (Shamir's 
original scheme is a special case with k' = k — 1). The relaxation of k' to a value smaller than {k — 1) allows for 
the reduction of the size of each share (normalized by the message size), thus requiring the dealer to transmit a 
smaller amount of data, and the participants to store lesser data. 

We now generalize the algorithm of Section [iVj for secret share dissemination across a general network, to 
accommodate two thresholds. The generalization only modifies the structure of matrix M in Q in the original 
algorithm. Given two thresholds k and k', the dimensions of the constituent submatrices of M are changed to 



Sa 


Rl 




Ra 


Rb 


RJ 


Sb 


Rc 









d-k 








d 



where 

• 5"^ is a symmetric (k' x k') matrix containing ^ ^^2"^^^ secret values, 

• Sb is {{d — k) X k') matrix containing k'{d — k) secret values, 

• i?a is a ((fc — A;') X A;') matrix containing k'{k — k') random values. 
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• is a {{k — k') X [k — k')) symmetric matrix containing ^^^^ by random values, 

• i?c is a {{d — k) X (k — k')) matrix containing {d — k){k — k') random values. 

Each random or secret value is drawn from the finite field Fg. Note that M continues to be a (d x d) symmetric 



matrix. The remaining algorithm remains the same as in Section IV The properties of /c-secret-recovery, /c'-coUusion- 
resistance and robustness to network structure can be verified via arguments similar to those in Section IV-C for 
the original algorithm. 

Remark 5 (Content distribution): In the absence of security requirements, this scheme can be used for content 
distribution across a network, by replacing all random values by message values (i.e., with k' = 0). In this scenario, 
each receiver in the content distribution network can recover the entire data M by connecting to any arbitrary set 
of k of the n nodes. 



E. Degree of the Share Polynomial 

In the secret share dissemination algorithm of Section [ivj observe from ^ that when d > {k + 1), the first 
secret value is encoded as a polynomial of degree {d — 1) (all other secret values are encoded as polynomials of 
degree (A; — 1)). In certain applications, however, it may be required to have polynomials of degree no more than 
{k — 1). In such a situation, one may simply replace the secret value Sa in Q with a random value. While this 
step reduces the communication efficiency of the algorithm, it retains all other essential properties including its 
distributed nature, /c-secret-recovery, {k — 1) -collusion-resistance, and robustness to the network structure. 



F. Other related literature 

1 ) Regenerating Codes for Distributed Storage: 
Regenerating codes p7| are a class of codes for distributed storage systems that aim to provide reliability and 
efficient fault-handling. Product-matrix codes flH], upon which our algorithm is based, are a class of explicit 
constructions of regenerating codes. These codes have the following special properties that make them suitable for 
secret share dissemination: (a) scalability, i.e., a node under repair is not constrained to connect to all remaining 
nodes (the only other scalable regenerating code constructions are the high-rate MDS codes of p2}, p3|; however. 



no secure versions of these codes are known), (b) information-theoretically secure |2I |, |34| (the only other secure 
codes are the secure repair-by-transfer codes of [32J, [35J , [36J ; however, these codes are not scalable), (c) a failed 
node can be repaired from any d remaining nodes (thus aiding in the distributed nature), (d) data a node passes to 
the failed node is independent of the identities of the other nodes helping in repair (again, making it distributed). 

2) Interference Alignment in Wireless Communication: 



Consider the (n = 6, = 2) toy example of our algorithm, depicted in Fig. 2b Here, the data passed by any 
participant j to its neighbour I is {{s + ir) + j{r + Ito))- The share desired by participant £ is (s + Ir), and by 
design, the data passed by participant j to £ is a linear combination of participant £'s share (s + Ir), and a random 
term (r + Ira)- The random term (r + Ira) ensures that participant j does not possess any information about the 
share {s + Ir) of participant i. Now, to enable participant i to remove this (undesired) random component, the 
algorithm ensures that the data passed by any participant i to participant £ is (s + £r) obfuscated with (a multiple 
of) the same random term (r + ira)- The linear dependence among these (undesired) random components allows 
participant I to solve for the value of (s + ^r) using the fewest number of equations (i.e., least amount of download). 



thereby reducing the communication complexity. The general algorithm presented in Section IV also forces the 
undesired components, in the data downloaded by any participant, to span a small dimension. Interestingly, such 
a phenomenon of restricting the dimension of undesired components has recently received considerable attention 



in the wireless communication literature, and is termed interference alignment |37|, |38|. This arises in a setting 
where multiple transmitter-receiver pairs communicate simultaneously over a wireless channel. At any receiver, the 
signals transmitted by all other transmitters constitute (undesired) interference, which need to be restricted to a 
small dimension in order to achieve a higher communication efficiency. 
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3) Certain Authentication Protocols: 
Although our path leading to this result was via the area of distributed storage, an authentication protocol for 
MANETS presented in |39|, and a commitment- verification protocol of |40| turn out to be special cases of the 
encoding part of our algorithm. In these works, the dealer constructs a random symmetric bivariate polynomial 
with the secret as its constant term, and provides each participant with an evaluation of this polynomial in the 
first coordinate at the participant's index (leaving the second coordinate as a variable). This is analogous to the 
encodings in our scheme when d = k. 



Appendix B 
Proof of {k - 1)-collusion-resistance 

Proof of Theorem^ The proof is a modification of |21, Theorem 1]. Let J C [n] denote the set of [k — 1) 
participants colluding in an attempt to recover information about the secret s. Denote the number of secret values 
(over Fq) hy S = d — k Further, let r denote the collection of (from Q) R= [k — l)d — {^~2^) random values 
introduced initially by the dealer. 

The data obtained by any participant j E J7 is a subset of the values ipjAI and {V'J-^V'i}£e[n]- Since matrix 
M is symmetric, {il)J MTpj}i(z[n] = {V'J-^V'£}^e[n]- Thus, participant j obtains at-most the d values tpjM in the 
execution of the protocol. On the other hand. Theorem js] shows that participant j can completely recover 
Now, let ^' J- be the {{k — 1) x d) submatrix of ^ comprising of the {k — 1) vectors {ipj}jej as its rows. Under 
this notation, the {k — 1) colluding participants together have access to at-most the {k — l)d values 



Cj = ^jM = 



Sa 

Ra 

Sb 



Ra 
Rb 
Rc 



c-T 

0_g 



R 



T 



Let e denote the set of these {k — l)d values. 



Throughout the proof, we will use the function H{.) to denote the Shannon entropy. All logarithms in the 
computation of the entropy functions are assumed to be taken to the base q. 

As an intermediate step in the proof, we shall show that given all the secret values s as side-information, the 
{k — 1) colluding participants can recover all the R random values, i.e., if(r|e, s) = 0. To this end, observe that 
if the secret values Sa and 5^ are known to the eavesdropper, and since the code is linear, it can subtract the 
components of Sa and Sb from Cj, to obtain 



C 



J 



J 





Ra 




R^ 
Rb 
Rc 



0^ 

R^ 





Since is Vandermonde with all non-zero entries, when restricted to columns 2 to (fc — 1), it forms a {{k — 1) x 
(fc — 1)) invertible matrix. This allows recovery of the random values in Ra and Rc- Subtracting the components 
of these decoded values, one is left with 



C 



J 



1- 



J 



0^ o'^ 
Rb O'^ 




and in a manner identical to that of decoding Ra and Rc, the eavesdropper can decode the remaining random values 
Rb- Thus, given the secret values, the {k — 1) participants can decode all the random values, and hence 



i7(r|e,s) = . 



(11) 



As another intermediate step in the proof, we will now show that all but R of the values obtained by the {k — 1) 
participants are functions of the other values that they possess, i.e., ^^(e) < R. From the value of R in (|7]), it 
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suffices to show that out of the (A; — l)d values that the eavesdropper has access to, [''2^) them are functions 
(linear combinations) of the rest. Consider, the {{k — 1) x [k — 1)) matrix 



(12) 



the elements of J' can be described by the 



/k-U 



Since M is symmetric, this {{k — 1) x (k — 1)) matrix in ( 12i is also symmetric. Thus (^2^) dependencies among 



upper-triangular elements of the expression 
. 



(13) 



Since the rows of ^ j- are linearly independent, these ('^2^) redundant equations ai^e independent. Thus the 
eavesdropper has access to at-most {k — l)d — {^^^) independent values, which equals the value of R, and hence 



H{e) < R. 



(14) 



We finally show that the two conditions ( VI I and ( fl?] ) above must necessarily imply that the mutual information 
between the secret values s and the values obtained by the eavesdropper e is zero, i.e., /(s; e) = 0. 



/(s;e) = H{e)-H{e\s) 

< R-H{e\s) 

= R- H{e\s) + H{e\s,r) 

= R-I{e;r\s) 

= R- {H{r\s) - H{r\e,s)) 

= R-H{r\s) 

= R-R 

= 0, 



(15) 
(16) 
(17) 
(18) 
(19) 
(20) 
(21) 
(22) 



where ( [T6| ) follows from ( [T4| ); pT) follows since every value in the system is a function of s and r, giving 
-fr(e|s,r) = 0; (20l follows from ( [TT] ); and (2]_) follows since the random values are independent of the secret 
values. Thus, s and e are independent random variables. ■ 



